ASA5520 and Proxy server

Unanswered Question
Mar 2nd, 2008
User Badges:

Hi All,

Is there such a thing as redirecting certain ports (for example, port 80) from ASA to a certain IP address that is a proxy server? What I am trying to do is to implement a transparent proxy server in our internal network. The flow is in a such a way that nothing internally change until outbound TCP 80 hits the firewall, then got redirected to the proxy server and go out. Not sure if ASA can do that? If not, how do one go about to implement a transparent proxy server while the firewall is ASA? (hardcode proxy server info on users browsers is not something I want to do for lots of other reasons).

Any help/advice is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Sun, 03/02/2008 - 10:29
User Badges:
  • Silver, 250 points or more

I've been trying to get this scenario to

work with Pix and squid proxy server since

Pix OS version 6.2. To my knowledge, it is

NOT possible.

Other firewall vendors such as checkpoint

supports transparent proxy. If your firewall

is a freeware, linux iptables is perfectly

suitable for this.

The other alternative solution is that you

do NOT have to hardcode proxy server info

into users browsers. If you use Microsft

ISA proxy server, you can use Web Proxy

Auto Discovery (WPAD) that will make ALL

web traffics to hit the ISA server. There

is nothing to configure on the users


Squid (proxy server on linux) also supports

WPAD as well, if I am not mistaken.

CCIE Security

ewong0088 Sun, 03/02/2008 - 15:20
User Badges:

Thank you. It never comes across my mind that PIX/ASA can't do that while I am doing that each and everyday via ipchains and iptables. In the past, in a PIX/ ASA environment using Websense or N2H2 (cisco supports these two vendors for redirection) I don't have to worry about it. ANd now, changing vendor (I am having a proxy not because I want one, the proxy is doing filtering) and I am stuck. WPAD won't work with the new proxy server. Hmmm...the last thing I can try is bridging.

cisco24x7 Sun, 03/02/2008 - 15:58
User Badges:
  • Silver, 250 points or more

May I ask what type of proxy you have in your


Most enterprise environment uses either:

1- MS ISA with load-balancer such as F5 BigIP

in front to load balance http/https traffics,

2- BlueCoat,

3- Squid Proxy (Most MSSPs will use this

because it's free),

Microsoft ISA and Bluecoat work with URL

filtering such as websense or N2H2 quite well.

To my knowledge, ISA and Bluecoat support


CCIE Security


This Discussion